KaspaCom LFG MCP

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for creating and trading tokens, but it can perform real on-chain financial actions without clear confirmation and slippage safeguards for trades.

Install only if you intend to let an agent use SURGE for token launches and trades. Use a limited API key and wallet balance, confirm every launch and trade manually, set reasonable slippage limits instead of accepting zero-minimum-output examples, and treat server-managed wallets as custodial access to funds.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill includes executable buy/sell command examples for blockchain launch tokens without any warning that these actions can move real funds, incur fees, and be irreversible once submitted on-chain. In an agent skill context, this is more dangerous because users or autonomous agents may treat the examples as safe defaults and execute financial transactions without confirmation, slippage controls, or clear understanding of asset impact.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal